Fix event logging context bug on non-existing endpoints (#354)

Co-authored-by: jrmccannon <[email protected]>

Author: Jonas Hendrickx

src/AdminConsole/Middleware/EventLogStorageCommitMiddleware.cs

@@ -2,14 +2,21 @@
 
 namespace Passwordless.AdminConsole.Middleware;
 
-public class EventLogStorageCommitMiddleware
+public partial class EventLogStorageCommitMiddleware
 {
     private readonly RequestDelegate _next;
 
     public EventLogStorageCommitMiddleware(RequestDelegate next) => _next = next;
 
     public async Task InvokeAsync(HttpContext context, IEventLogger eventLogger)
     {
+        // If the request is not in our routing tables, skip this middleware.
+        if (context.GetEndpoint() == null)
+        {
+            await _next(context);
+            return;
+        }
+
         try
         {
             await _next(context);

src/Api/Middleware/EventLogContextMiddleware.cs

@@ -13,6 +13,13 @@ public class EventLogContextMiddleware
 
     public async Task InvokeAsync(HttpContext context, IEventLogContext eventLogContext, IFeatureContextProvider featureContextProvider)
     {
+        // If the request is not in our routing tables, skip this middleware.
+        if (context.GetEndpoint() == null)
+        {
+            await _next(context);
+            return;
+        }
+
         var tenantId = context.Request.GetTenantName();
         var requestKey = context.Request.GetPublicApiKey() ?? context.Request.GetApiSecret();
         var isAuthenticated = context.User.Identity?.IsAuthenticated ?? false;

src/Api/Middleware/EventLogStorageCommitMiddleware.cs

@@ -20,6 +20,13 @@ public EventLogStorageCommitMiddleware(RequestDelegate next, ILogger<EventLogSto
     /// <param name="provider">Used to get the `IEventLogger` instance based on the current state of the request.</param>
     public async Task InvokeAsync(HttpContext context, IServiceProvider provider)
     {
+        // If the request is not in our routing tables, skip this middleware.
+        if (context.GetEndpoint() == null)
+        {
+            await _next(context);
+            return;
+        }
+
         try
         {
             await _next(context);

src/Service/EventLog/Loggers/UnauthenticatedEventLoggerEfWriteStorage.cs

@@ -19,7 +19,9 @@ public UnauthenticatedEventLoggerEfWriteStorage(
 
     public async override Task FlushAsync()
     {
-        if ((await _featureContextProvider.UseContext()).EventLoggingIsEnabled)
+        var featuresContext = await _featureContextProvider.UseContext();
+
+        if (featuresContext.IsInFeaturesContext && featuresContext.EventLoggingIsEnabled)
         {
             await base.FlushAsync();
         }

src/Service/Features/FeatureContextProvider.cs

@@ -22,17 +22,27 @@ public FeatureContextProvider(
             if (httpContext == null) return new NullFeaturesContext();
 
             string appId = null;
-            if (httpContext.Request.RouteValues.ContainsKey("appId"))
-            {
-                appId = httpContext.Request.RouteValues["appId"].ToString();
-            }
-            if (httpContext.Request.Headers.ContainsKey("ApiKey"))
+
+            try
             {
-                appId = ApiKeyUtils.GetAppId(httpContext.Request.Headers["ApiKey"].ToString());
+                if (httpContext.Request.Headers.ContainsKey("ApiKey"))
+                {
+                    appId = ApiKeyUtils.GetAppId(httpContext.Request.Headers["ApiKey"].ToString());
+                }
+                else if (httpContext.Request.Headers.ContainsKey("ApiSecret"))
+                {
+                    appId = ApiKeyUtils.GetAppId(httpContext.Request.Headers["ApiSecret"].ToString());
+                }
+                else if (httpContext.Request.RouteValues.ContainsKey("appId"))
+                {
+                    appId = httpContext.Request.RouteValues["appId"].ToString();
+                }
             }
-            if (httpContext.Request.Headers.ContainsKey("ApiSecret"))
+            catch (ArgumentException)
             {
-                appId = ApiKeyUtils.GetAppId(httpContext.Request.Headers["ApiSecret"].ToString());
+                // In case of a bad api key format, we may not be able to obtain the tenant context.
+                // We'll just return a null context as we won't have a need to log the bad api key.
+                return new NullFeaturesContext();
             }
 
             if (string.IsNullOrWhiteSpace(appId)) return new NullFeaturesContext();

tests/Api.IntegrationTests/Endpoints/Events/EventsTests.cs

@@ -6,7 +6,9 @@
 using Passwordless.Api.IntegrationTests.Helpers.App;
 using Passwordless.Common.Constants;
 using Passwordless.Common.EventLog.Enums;
+using Passwordless.Common.Extensions;
 using Passwordless.Common.Models.Apps;
+using Passwordless.Service.Models;
 using Xunit;
 using Xunit.Abstractions;
 
@@ -176,8 +178,8 @@ public async Task I_can_view_the_event_for_disabling_the_generate_sign_in_token_
         using var appCreationResponse = await _client.CreateApplicationAsync(applicationName);
         var accountKeysCreation = await appCreationResponse.Content.ReadFromJsonAsync<CreateAppResultDto>();
         _client.AddSecretKey(accountKeysCreation!.ApiSecret1);
-        _ = await _client.EnableEventLogging(applicationName);
-        using var enableResponse = await _client.PostAsJsonAsync($"admin/apps/{applicationName}/sign-in-generate-token-endpoint/disable",
+        await _client.EnableEventLogging(applicationName);
+        await _client.PostAsJsonAsync($"admin/apps/{applicationName}/sign-in-generate-token-endpoint/disable",
             new AppsEndpoints.DisableGenerateSignInTokenEndpointRequest(user));
 
         // Act
@@ -193,6 +195,107 @@ public async Task I_can_view_the_event_for_disabling_the_generate_sign_in_token_
         enabledEvent!.PerformedBy.Should().Be(user);
     }
 
+    [Fact]
+    public async Task I_can_view_the_event_for_using_a_disabled_api_secret()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        var accountKeysCreation = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddSecretKey(accountKeysCreation!.ApiSecret1);
+        await _client.EnableEventLogging(applicationName);
+        using var getApiKeysResponse = await _client.GetAsync($"/admin/apps/{applicationName}/api-keys");
+        var apiKeys = await getApiKeysResponse.Content.ReadFromJsonAsync<IReadOnlyCollection<ApiKeyResponse>>();
+        var keyToLock = apiKeys!.First(x => x.ApiKey.EndsWith(accountKeysCreation.ApiSecret1.GetLast(4)));
+        _ = await _client.PostAsync($"/admin/apps/{applicationName}/api-keys/{keyToLock.Id}/lock", null);
+        _ = await _client.GetAsync("credentials/list");
+        _ = await _client.PostAsync($"/admin/apps/{applicationName}/api-keys/{keyToLock.Id}/unlock", null);
+
+        // Act
+        using var getApplicationEventsResponse = await _client.GetAsync("events?pageNumber=1");
+        // Assert
+        getApplicationEventsResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+        var applicationEvents = await getApplicationEventsResponse.Content.ReadFromJsonAsync<EventLog.GetEventLogEventsResponse>();
+        applicationEvents.Should().NotBeNull();
+        applicationEvents!.Events.Should().NotBeEmpty();
+        applicationEvents.Events.Should().Contain(x => x.EventType == EventType.ApiAuthDisabledSecretKeyUsed.ToString());
+    }
+
+    [Fact]
+    public async Task I_can_view_the_event_for_using_a_disabled_public_key()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        var accountKeysCreation = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddSecretKey(accountKeysCreation!.ApiSecret1);
+        _client.AddPublicKey(accountKeysCreation.ApiKey1);
+        await _client.EnableEventLogging(applicationName);
+        using var getApiKeysResponse = await _client.GetAsync($"/admin/apps/{applicationName}/api-keys");
+        var apiKeys = await getApiKeysResponse.Content.ReadFromJsonAsync<IReadOnlyCollection<ApiKeyResponse>>();
+        var keyToLock = apiKeys!.First(x => x.ApiKey.EndsWith(accountKeysCreation.ApiKey1.GetLast(4)));
+        _ = await _client.PostAsync($"/admin/apps/{applicationName}/api-keys/{keyToLock.Id}/lock", null);
+        _ = await _client.PostAsJsonAsync("/signin/begin", new SignInBeginDTO { Origin = PasswordlessApiFactory.OriginUrl, RPID = PasswordlessApiFactory.RpId });
+        _ = await _client.PostAsync($"/admin/apps/{applicationName}/api-keys/{keyToLock.Id}/unlock", null);
+
+        // Act
+        using var getApplicationEventsResponse = await _client.GetAsync("events?pageNumber=1");
+
+        // Assert
+        getApplicationEventsResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+        var applicationEvents = await getApplicationEventsResponse.Content.ReadFromJsonAsync<EventLog.GetEventLogEventsResponse>();
+        applicationEvents.Should().NotBeNull();
+        applicationEvents!.Events.Should().NotBeEmpty();
+        applicationEvents.Events.Should().Contain(x => x.EventType == EventType.ApiAuthDisabledPublicKeyUsed.ToString());
+    }
+
+    [Fact]
+    public async Task I_can_view_the_event_for_using_a_non_existent_api_key()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        var accountKeysCreation = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddSecretKey(accountKeysCreation!.ApiSecret1);
+        _client.AddPublicKey($"{applicationName}:public:invalid-public-key");
+        await _client.EnableEventLogging(applicationName);
+        _ = await _client.PostAsJsonAsync("/signin/begin", new SignInBeginDTO { Origin = PasswordlessApiFactory.OriginUrl, RPID = PasswordlessApiFactory.RpId });
+
+        // Act
+        using var getApplicationEventsResponse = await _client.GetAsync("events?pageNumber=1");
+
+        // Assert
+        getApplicationEventsResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+        var applicationEvents = await getApplicationEventsResponse.Content.ReadFromJsonAsync<EventLog.GetEventLogEventsResponse>();
+        applicationEvents.Should().NotBeNull();
+        applicationEvents!.Events.Should().NotBeEmpty();
+        applicationEvents.Events.Should().Contain(x => x.EventType == EventType.ApiAuthInvalidPublicKeyUsed.ToString());
+    }
+
+    [Fact]
+    public async Task I_can_view_the_event_for_using_a_non_existent_api_secret()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        var accountKeysCreation = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddSecretKey(accountKeysCreation!.ApiSecret1);
+        _client.AddSecretKey($"{applicationName}:secret:invalid-secret-key");
+        await _client.EnableEventLogging(applicationName);
+        _ = await _client.GetAsync("credentials/list");
+        _client.AddSecretKey(accountKeysCreation!.ApiSecret1);
+
+        // Act
+        using var getApplicationEventsResponse = await _client.GetAsync("events?pageNumber=1");
+
+        // Assert
+        getApplicationEventsResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+        var applicationEvents = await getApplicationEventsResponse.Content.ReadFromJsonAsync<EventLog.GetEventLogEventsResponse>();
+        applicationEvents.Should().NotBeNull();
+        applicationEvents!.Events.Should().NotBeEmpty();
+        applicationEvents.Events.Should().Contain(x => x.EventType == EventType.ApiAuthInvalidSecretKeyUsed.ToString());
+    }
+
     public void Dispose()
     {
         _client.Dispose();

tests/Api.IntegrationTests/Helpers/HttpClientTestExtensions.cs

@@ -24,6 +24,7 @@ public static bool HasSecretKey(this HttpClient client) =>
 
     public static HttpClient AddSecretKey(this HttpClient client, string secretKey)
     {
+        if (client.DefaultRequestHeaders.Contains("ApiSecret")) client.DefaultRequestHeaders.Remove("ApiSecret");
         client.DefaultRequestHeaders.Add("ApiSecret", secretKey);
         return client;
     }

tests/Api.IntegrationTests/Middleware/AuthorizationIntegrationTests.cs

@@ -0,0 +1,84 @@
+using System.Net;
+using System.Net.Http.Json;
+using Passwordless.Api.IntegrationTests.Helpers;
+using Passwordless.Api.IntegrationTests.Helpers.App;
+using Passwordless.Common.Models.Apps;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Passwordless.Api.IntegrationTests.Middleware;
+
+public class AuthorizationIntegrationTests : IClassFixture<PasswordlessApiFactory>
+{
+    private readonly HttpClient _client;
+
+    public AuthorizationIntegrationTests(ITestOutputHelper testOutput, PasswordlessApiFactory apiFactory)
+    {
+        apiFactory.TestOutput = testOutput;
+        _client = apiFactory.CreateClient();
+    }
+
+    [Fact]
+    public async Task I_receive_a_403_when_i_use_a_invalid_api_key_with_an_existing_endpoint()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        _ = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddPublicKey($"{Guid.NewGuid():N}:public:{Guid.NewGuid():N}");
+
+        // Act
+        using var actual = await _client.PostAsJsonAsync("/register/begin", string.Empty);
+
+        // Assert
+        Assert.Equal(HttpStatusCode.Unauthorized, actual.StatusCode);
+    }
+
+    [Fact]
+    public async Task I_receive_a_403_when_i_use_a_badly_formatted_api_key_with_an_existing_endpoint()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        _ = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddPublicKey("e=mc2trooper");
+
+        // Act
+        using var actual = await _client.PostAsJsonAsync("/register/begin", string.Empty);
+
+        // Assert
+        Assert.Equal(HttpStatusCode.Unauthorized, actual.StatusCode);
+    }
+
+    [Fact]
+    public async Task I_receive_a_403_when_i_use_a_invalid_api_secret_with_an_existing_endpoint()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        _ = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddSecretKey($"{Guid.NewGuid():N}:secret:{Guid.NewGuid():N}");
+
+        // Act
+        using var actual = await _client.PostAsJsonAsync("/register/token", string.Empty);
+
+        // Assert
+        Assert.Equal(HttpStatusCode.Unauthorized, actual.StatusCode);
+    }
+
+    [Fact]
+    public async Task I_receive_a_403_when_i_use_a_badly_formatted_api_secret_with_an_existing_endpoint()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        _ = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddSecretKey("e=mc2trooper");
+
+        // Act
+        using var actual = await _client.PostAsJsonAsync("/register/token", string.Empty);
+
+        // Assert
+        Assert.Equal(HttpStatusCode.Unauthorized, actual.StatusCode);
+    }
+}

tests/Api.IntegrationTests/Middleware/RoutingIntegrationTests.cs

@@ -0,0 +1,52 @@
+using System.Net;
+using System.Net.Http.Json;
+using Passwordless.Api.IntegrationTests.Helpers;
+using Passwordless.Api.IntegrationTests.Helpers.App;
+using Passwordless.Common.Models.Apps;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Passwordless.Api.IntegrationTests.Middleware;
+
+public class RoutingIntegrationTests : IClassFixture<PasswordlessApiFactory>
+{
+    private readonly HttpClient _client;
+
+    public RoutingIntegrationTests(ITestOutputHelper testOutput, PasswordlessApiFactory apiFactory)
+    {
+        apiFactory.TestOutput = testOutput;
+        _client = apiFactory.CreateClient();
+    }
+
+    [Fact]
+    public async Task I_receive_a_404_when_i_use_a_badly_formatted_api_secret_with_a_non_existing_endpoint()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        _ = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddSecretKey("e=mc2trooper");
+
+        // Act
+        using var actual = await _client.GetAsync("/non-existent-endpoint");
+
+        // Assert
+        Assert.Equal(HttpStatusCode.NotFound, actual.StatusCode);
+    }
+
+    [Fact]
+    public async Task I_receive_a_404_when_i_use_a_badly_formatted_api_key_with_a_non_existing_endpoint()
+    {
+        // Arrange
+        var applicationName = CreateAppHelpers.GetApplicationName();
+        using var createApplicationMessage = await _client.CreateApplicationAsync(applicationName);
+        _ = await createApplicationMessage.Content.ReadFromJsonAsync<CreateAppResultDto>();
+        _client.AddPublicKey("e=mc2trooper");
+
+        // Act
+        using var actual = await _client.GetAsync("/non-existent-endpoint");
+
+        // Assert
+        Assert.Equal(HttpStatusCode.NotFound, actual.StatusCode);
+    }
+}